|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Dec 18 2007 - 12:28:58 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
2008 is going to be an eventful and opportunity-rich year for security
professionals. Demand will surge for three new types of skills, and as
senior executives in government and industry finally become aware that
that their systems have already been compromised and that they do not
control those systems, their reaction will create additional
"opportunities." An evening workshop is planned, on how to be prepared
for and take advantage of these opportunities, at Security 2008 in New
Orleans in four weeks. It's open to all who are registered for training
at that conference. Check out the courses (Hacker Exploits, Wireless,
Security Essentials, Security Leadership. Auditing, CISSP Test Prep,
Forensics, more) at http://www.sans.org/security08/event.php. Once you
have registered, email me (apallersans.org) and I'll send you a summary
of the topics we'll cover in the evening workshop.
Alan
*************************************************************************
SANS NewsBites December 18, 2007 Vol. 9, Num. 99
*************************************************************************
TOP OF THE NEWS
Ask.com Lets Users Erase Search Data
UK Insurance Company Gets Record Fine for Poor Data Security
Ohio Sec. of State Calls for Replacing eVoting Machines
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Facebook Sues Canadian Firm for Attempted Data Mining
Seven Arrested in Internet Bank Theft Scheme
Guilty Plea in CA Power Grid Sabotage Attempt
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Missing Laptop Holds UK Parliament Security Details
Data Security Procedures Not Shared with Junior HMRC Staff
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases QuickTime and Java Fixes
IE Patch Reportedly Causes Connectivity Problems
HP Offers Temporary Fix for Info Center Software Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Disk Holding UK Driving Test Results is Lost
Students Allegedly Hack High School Computer System
Deloitte & Touche Employee Data on Stolen Laptop
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By Cenzic ****************************
Security Test Production Web Applications! Continuously testing your
production web applications - without corrupting your applications or
their data is NOW possible. With over 400 new application
vulnerabilities every month it is imperative to test and re-test all Web
applications, and not just the ones in development and quality assurance
stages. Learn how.
http://www.sans.org/info/21051
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development,
Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS'
other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Ask.com Lets Users Erase Search Data
(December 11, 2007)
Users of the Ask.com search engine can now request that their search
queries be purged from Ask's servers immediately. Other search engines
store search histories for as long as 18 months. AskEraser will, when
enabled, delete any future search information, including IP addresses,
user IDs, session IDs, and query text.
http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7138260.stm
[Editor's Note (Pescatore) very good to see this move. The next step
forward is to make *not* storing the information as the default and
require the user to opt-in to allowing such information to be stored.
Personally, the first search engine to do so will get all my search
business.
(Schultz): In offering this new option. Ask.com has most commendably
broken new ground with respect to privacy protection. Other search
engine providers now need to follow suit.
(Skoudis): Wow! I like this feature a lot. Search history is a very
dangerous and scary thing, as people increasingly search for their own
names and interests. Correlating across different searches by a single
user can be a hugely valuable information source to discover very
sensitive personally identifiable information about people, including
their healthcare histories (if they search for their own maladies, which
people inevitably do). In fact, one wonders what the HIPAA implications
are for large search engine providers (I don't want to name names here)
who certainly have healthcare information about their users all summed
up in their search histories. The erase history option being pioneered
by ask.com is fascinating in this light.]
--UK Insurance Company Gets Record Fine for Poor Data Security
(December 17, 2007)
UK insurance company Norwich Union has been fined GBP 1.26 million (US
$2.5 million) by the Financial Services Authority (FSA) for failing to
provide adequate protection of customer data. Eleven people have been
arrested in connection with a scheme in which thieves were able to
impersonate Norwich Union customers by calling the company's call center
and attempting to cash in policies totaling GBP 3.3 million (US $6.6
million). Some bank account data were exposed. The fine levied against
Norwich is the highest ever by the FSA for data security issues.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053298&source=rss_topic17
http://www.theregister.co.uk/2007/12/17/norwich_union_life_fsa_fine/print.html
http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article3062076.ece
http://dofonline.co.uk/governance/fsa-fines-norwich-union-over-data-losses9288.html
[Editor's Note (Honan): According to The Times article, 'Norwich Union
Life informed and then protected present and former directors of its
business and its owner Aviva but did not "inform and protect the
policyholders who were not connected with the business".' This
disregard towards customers is a prime reason why the EU and the UK need
to introduce mandatory information security breach disclosure laws. ]
--Ohio Sec. of State Calls for Replacing eVoting Machines
(December 15 & 17, 2007)
In response to a report she commissioned, Ohio Secretary of State
Jennifer Brunner has called for replacing all voting machines in the
state. According to the report, all five systems used in Ohio contain
critical flaws that could be exploited to alter election results.
Brunner wants the state to replace the problematic machines with optical
scan machines. People gathering information for the study were able to
pick locks and gain access to memory cards, use portable storage devices
to insert phony votes into machines and in some cases, install malicious
software on the machines. Brunner wants the new machines to be ready
for use in the November 2008 presidential election.
http://www.nytimes.com/2007/12/15/us/15ohio.html?_r=1&oref=slogin&pagewanted=print
http://www.securityfocus.com/brief/646
[Editor's Note (Pescatore): This is another example of the high cost of
buying mission critical technology without having security as a key
evaluation criterion.]
************************* Sponsored Link: *****************************
1) Stop data leaks and sanitize your servers before they leave your
premises. Blancco them today. http://www.sans.org/info/21056
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Facebook Sues Canadian Firm for Attempted Data Mining
(December 18, 2007)
Facebook has filed a lawsuit alleging that a Canadian pornography
company used scripts to gather personal details from its social
networking site. The company allegedly made more than 200,000 requests
from information on Facebook over a two-week period. The lawsuit was
originally filed in June and recently amended to include the identities
of three people associated with the servers that tried to access
Facebook's site after their identities were obtained through a court
order; 14 other defendants remain unnamed. Facebook did not say if the
data mining attack was successful.
http://computerworld.co.nz/news.nsf/scrt/01DDB02B3FBCDD31CC2573B400689A2F
http://www.theregister.co.uk/2007/12/17/facebook_hack_attack_lawsuit/print.html
http://www.cbc.ca/canada/montreal/story/2007/12/17/tech-facebook.html
[Editor's Note (Skoudis): Although the technical details revealed
publicly are very sketchy, this sounds like good, old-fashioned account
harvesting, guessing usernames and determining if they are valid based
on different error messages that come back. Enterprises need to make
sure their authentication error messages for the condition of "bad
userID / bad password" are identical with the messages for the "good
userID / bad password" condition. Also, I hope the courts tread very
carefully here. While the company that tried to do account harvesting
in this case sounds quite unseemly, the precedent established here could
inhibit development of new, helpful web applications if interpreted too
broadly.
(Ullrich): Facebook uses a "robots.txt" file, which should tell well
behaved spiders what pages are open to be indexed. Search engines
typically obey the robots.txt file. However, the use of robots.txt files
does not prevent data mining, and a web application should put
limitations in place as to how many pages can be accessed in a given
time interval.
(Cole): This is an indicator that we all need to do a better job of
protecting our families online. We have all been trained not to talk
to strangers and understand the dangers of social engineering. However
we need to talk to our families and loved ones over the holidays about
the dangers of posting information online.]
--Seven Arrested in Internet Bank Theft Scheme
(December 15, 2007)
Seven people have been arrested in India for breaking into bank accounts
over the Internet and stealing nearly Rs 12 lakh (US $30,500). He was
caught in a cyber cafe in Mahadevapura on November 29; authorities were
able to track him down through the IP address of the computer used to
make the unauthorized transactions. The ringleader allegedly installed
keystroke-logging software on computers at the cyber cafe to obtain the
information needed to access the accounts online. The stolen money was
transferred to accomplices' accounts. A raid on the suspect's home
found details of 100 accounts from a variety of banks.
http://www.business-standard.com/common/storypage_c.php?leftnm=10&autono=307570
[Editor's Note (Ullrich): Yet another reason not to use random public computers for sensitive work.]
--Guilty Plea in CA Power Grid Sabotage Attempt
(December 14, 2007)
A former contract system administrator has pleaded guilty to attempting
to shut down the state's power grid. Lonnie Denison was reportedly
having troubles at work and angry that his computer privileges had been
revoked at the California Independent System Operator (Cal-ISO) data
center. Denison broke a glass cover and pushed the emergency "off"
switch, effectively isolating California from the rest of the energy
market. The incident occurred late on a Sunday evening, a time of
relatively low power demand, and took about seven hours to repair at a
cost of approximately US $14,000. If he is convicted of all charges
against him, Denison could face up to five years in prison and a fine
of US $250,000.
http://www.pcworld.com/printable/article/id,140587/printable.html
[Editor's Note (Skoudis): When I read this story, I couldn't help but
wonder what the sign next to the big off switch says. Oh, and that
switch has got to be red, right?
(Kreitner): One would think that multiple layers of physical security
should have prevented anyone from getting near a switch with that level
of operational significance, let alone being able to activate it without
others being nearby.
(Honan): This story is a reminder that when dealing with disgruntled
employees you need to consider physical security and revoke their
physical access to key systems and not just their computer access. ]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Missing Laptop Holds UK Parliament Security Details
(December 17, 2007)
A missing laptop computer holds sensitive information about a new
security system that protects the UK's Houses of Parliament. Physical
security has been enhanced at Parliament after members of two separate
special interest groups breached House of Commons security in 2004.
http://www.telegraph.co.uk/news/main.jhtml?view=DETAILS&grid=&xml=/news/2007/12/17/npols517.xml
--Data Security Procedures Not Shared with Junior HMRC Staff
(December 15 & 17, 2007)
In an ironic twist in the HM Revenue & Customs data loss case,
information about how to share information safely was kept from junior
staff because it was believed that the manual contained too much
sensitive information to be widely distributed. Following the
presentation of an interim report on the HMRC data loss, Chancellor of
the Exchequer Alistair Darling said that the department needs to
establish "clearer lines of responsibility for data."
http://politics.guardian.co.uk/homeaffairs/story/0,,2227999,00.html?gusrc=rss&feed=networkfront
[Guest Editor's Note (Stephen Hall): These two stories under homeland
security were compounded yesterday by a third data loss by the UK.
Details here : http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm
It is being downplayed as "not as serious" as the HMRC report. However
the information contained on the disk drive is perfect for fishing
further information.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Apple Releases QuickTime and Java Fixes
(December 18, 2007)
Apple has released patches for vulnerabilities in its QuickTime Player
for both Mac OS X and Windows. QuickTime 7.3.1 fixes a buffer overflow
flaw in the Real-Time Streaming Protocol, as well as a heap buffer
overflow in the way QuickTime handles QTL files and unspecified flaws
in the QuickTime Flash media handler. Apple has also fixed 18
vulnerabilities in Java for Mac OS X 10.4, also known as Tiger. The
Java flaws do not affect Apple's Leopard operating system.
http://www.crn.com.au/News/67055,apple-issues-patches-for-quicktime-player-flaws.aspx
http://www.networkworld.com/newsletters/bug/2007/1217bug1.html
http://docs.info.apple.com/article.html?artnum=307176
http://docs.info.apple.com/article.html?artnum=307177
[Editor's Note (Skoudis): It has been a really bad year for QuickTime
from a security perspective. I've counted at least 7 major security
patches for it this year. Make sure you patch QuickTime thoroughly on
all of the systems in your enterprise that run it, or else the spyware
purveyors and cyber criminals will come hunting for them.
(Frantzen of Internet Storm Center): Apple also released a Security
Update 2007-009 and an update for the beta Safari for Windows. The
security update fixes 41 CVE names in one patch.
http://docs.info.apple.com/article.html?artnum=307179
http://docs.info.apple.com/article.html?artnum=307178
http://isc.sans.org/diary.html?storyid=3760 ]
--IE Patch Reportedly Causes Connectivity Problems
(December 17, 2007)
Microsoft is looking into reports that an update for Internet Explorer
(IE) released last week is causing some users to be unable to connect
to the Internet. Messages posted to several sites indicate that users
who applied the fix in the MS07-069 security bulletin were either unable
to open IE or could not reach sites once it was open.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053300&source=rss_topic17
--HP Offers Temporary Fix for Info Center Software Flaw
(December 14, 2007)
HP has issued a stopgap fix to protect users of HP notebooks from
becoming infected through a vulnerability in the pre-installed HP Info
Center software on the company's laptops. The stopgap measure
deactivates the software because merely uninstalling HP Quick Launch
Buttons, of which the vulnerable software is a component, does not
protect users. Attackers can exploit the flaw by luring vulnerable
users running IE 6 or 7 to specially crafted web pages. Info Center may
not be installed on all HP laptops.
http://www.heise-security.co.uk/news/100625
[Editor's Note (Cole): The more important question is how many people
actually use Info Center and if they do not use it why is it installed.
Most of the exploits that attackers are using are targeting software
that we do not use but were installed anyway.]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Disk Holding UK Driving Test Results is Lost
(December 17, 2007)
A missing hard drive contains the names, addresses, phone numbers and
email addresses of three million UK driving test candidates. While no
financial information was contained on the drive, this is just one more
embarrassment for the UK government, which has experienced a rash of
data security problems in recent months. The disk is missing from a US
facility in Iowa.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053322&source=rss_topic17
http://www.theregister.co.uk/2007/12/17/dsa_test_data_loss/print.html
--Students Allegedly Hack High School Computer System
(December 16, 2007)
An unspecified number of students at Monte Vista High School in Santa
Clara County, California allegedly broke into the high school's computer
system in an attempt to look at their final exam questions in advance.
The intrusion was discovered when a student found a piece of paper in
the school library with passwords written on it; the paper was given to
the librarian. The students allegedly used a program that allowed them
to discover the necessary passwords.
http://www.mercurynews.com/news/ci_7737995?nclick_check=1
[Editor's Note (Skoudis): What these kids did was wrong, and they should
be punished for it. However, I read the article and started reminiscing
about that old movie War Games from 1983, in which the main character
hacked into the school's computer by using a password scribbled down on
a piece of paper inside a desk (trivial pursuit question: which password
did he use? Next question: which passwords were crossed off the list?).
Today, the kids in this case used automated password guessing, but it's
still the fundamental weaknesses of passwords that plague us. (BTW, if
you are looking for holiday gifts for the geeks in your life, a copy of
War Games, Sneakers, and, yes, The Matrix on DVD make perfect stocking
stuffers for those who don't already have them.)
--Deloitte & Touche Employee Data on Stolen Laptop
(December 14, 2007)
A stolen laptop contains personally identifiable information of an
unspecified number of current and former Deloitte & Touche employees.
The data include names, Social Security numbers (SSNs), and birth dates.
Some Deloitte subsidiary employees are affected by the theft as well.
The computer was in the possession of a contractor who was scanning
pension fund documents for the company. The data are not encrypted.
Deloitte has stopped working with the contractor until it "can
demonstrate that it has implemented appropriate data security
protections."
http://www.scmagazineus.com/Deloitte-partner-principal-confidential-information-on-stolen-laptop/article/99945/
[Editor's Note: (Schultz): If you read the full story, you'll find that
Richard Baker, an ex-employee of Deloitte & Touche, made an
almost-too-perfect comment about this incident: ""What is particularly
egregious about this situation is that Deloitte is a 'noted' security
expert with seminars, whitepapers, service lines, etc. One would think
there would be security and encryption standards for all sensitive
personal data, whether managed internally or by outside vendors."
(Cole): With all of the traveling, the holiday season offers a prime
opportunity for laptop thieves. The trick to protecting a laptop is to
have a strong password or authentication in use. Encrypt your critical
data with either folder level or full disk encryption. Travel with your
system turned off, not in hibernation mode. Backup your critical data
before you leave so if your laptop gets stolen you will be able to
recover quickly.]
LIST OF UPCOMING FREE SANS WEBCASTS
Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Johannes Ullrich
http://www.sans.org/info/20067
Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Paul Asadoorian
http://www.sans.org/info/20087
Sponsored By: Core Security
Embedded devices come into your network and appear in many different
forms, including printers, iPhones, wireless routers and network-based
cameras. What you might not realize is that these devices offer unique
opportunities for attackers to do damage and gain access to your network
- - and to the information it contains. This webcast will review known
embedded device vulnerabilities and cover how these vulnerabilities can
be used to gain control of devices, networks, and data - and, more
importantly, what can be done about it.
********************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Johannes Ullrich and John Weinschenk
http://www.sans.org/info/20062
Sponsored By: Cezic http://www.cenzic.com/
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
SANS Special Webcast: Pinpointing and Proving Web Application
Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Dr. Eric Cole
http://www.sans.org/info/20057
Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported
that 61% of all vulnerabilities disclosed in the first half of 2007 were
web application vulnerabilities. It's no wonder, since web apps are
often highly customized and can be rife with potential security holes.
Fortunately, recent advances in penetration testing products can help
you to pinpoint and prove web application security weaknesses - even in
customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN
NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Jerry Shenk
http://www.sans.org/info/20052
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and
how much data should it store for post-mortem analysis? Join this
Webcast to hear senior SANS Analyst Jerry Shenk go over his test results
on the NetDectector/NetVCR 2005 and features such as full packet
inspection and the ability to call up and review raw data in its native
format.
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHaAUj+LUG5KFpTkYRAmNXAJ401f73CeAz5jFstX/cQB5ErXoV4gCfVHn7
t38BSOIGJH0T2senToN5a30=
=LLEj
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]